In this newsletter, we examine the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Rules”) issued under the Information Technology Act, 2000 (the “Act”) in India. We also examine the essential website and app documentation to be provided under the Rules and the requirement of Terms of Use and its essential features.

  1. Privacy Policy: Section 43Aof the Act, read with the Rules, requires any company which collects, receives, possesses or handles or stores information must have a privacy policy. The privacy policy must be published on the website or app of the company and the privacy policy must provide for the following:
    Disclosure:  The privacy policy must disclose:

    • Clear and easily accessible statements of its practices and policies;
    • the type of personal information collected;
    • the purpose of collection and usage of such information;
    • disclosure of information and sensitive personal data as provided under the Rules; and
    • reasonable security practices and procedures in place to keep information secure.


    Prior consent of the user is required for the collection and disclosure of sensitive personal data or information.

    In addition, the company must implement security standards and practices and have a comprehensively documented information security programme and security policies that contain managerial, technical, operational and physical security measures that are commensurate with the information assets being protected. One such standard referred to in the Rules is the International Standards- IS/ISO/IEC/ 27001- on “Information Technology Security Techniques”.

  1. Terms of Use – The website or app Terms of Use, details the terms and conditions that the user must abide by while using the website or app, as the case may be. Owners or operators of a website or app allowing user interaction must protect their business from a contractual perspective. Accordingly, the Terms of Use must provide clauses pertaining to acceptable use and restrictions of the website and app, disclaimer of liability, the license granted, intellectual property rights infringements, the applicable law and jurisdiction and other legal information. Although no particular laws or regulations are governing what must be contained in the Terms of Use for a website and app, such Terms of Use is broadly governed by the Indian Contract Act, 1872and theInformation Technology Act, 2000.

Conclusion: The privacy policy of the website or app must adhere to the provisions of the Rules. The Terms of Use must always be drafted keeping in mind the Indian Contract Act and the Information Technology Act, 2000. Hopefully, the proposed Personal Data Protection Bill, 2019 (“PDPB”), which was introduced in the Lok Sabha by the Minister of Electronics and Information Technology, on December 11, 2019, in India will throw more light on the compliances to be undertaken by the owners of the website and app to ensure the protection of privacy of individuals relating to their data.